Spectre/Meltdown bug affecting Python ?
Grant Edwards
grant.b.edwards at gmail.com
Sat Jan 6 17:47:25 EST 2018
On 2018-01-06, Ian Kelly <ian.g.kelly at gmail.com> wrote:
>
>> > Furthermore, I'd like to know if Python can mitigate hardware-specific
>> > timing attacks.
>>
>> For CPython, probably not. Anything that Cpython tried to do could be
>> trivially defeated by using something like ctypes to make calls to
>> arbitrary machine code that was written to a file.
>>
>
> It sounds like you're talking about the case where the malicious code is
> hosted by Python. I agree that's probably not realistic to do anything
> about -- if you can run malicious code then you're probably not restricted
> to Python (and without knowing a lot about the attacks, I'm doubtful that
> it's possible to implement them in pure Python anyway).
Yes, that's what I was talking about.
> I think the OP was talking about protecting the data of Python programs
> from other malicious processes, however. The mitigation seems to be like it
> could reasonably be accomplished (at least for core Python -- extension
> code would be on its own).
Ah, yes. Eventually it seems that just compiling CPython with a
compiler that uses something like Google's "retpoline" should help:
https://support.google.com/faqs/answer/7625886
Though I think I understand what the retpoline _is_, I don't really
understand enough about the Spectre vulnerability say much else.
--
Grant Edwards grant.b.edwards Yow! I'm having an
at emotional outburst!!
gmail.com
More information about the Python-list
mailing list